The acceleration of mobile transactions, coupled with the free distribution of downloadable apps, can create significant security and management challenges. The combination of apps — sometimes installed from nontrustworthy sources — and the increase of mobile malware poses a real threat to both sensitive and confidential information stored on mobile devices.

Why Worry About Mobile Banking Transactions?

Mobile banking is an attractive target for criminal account takeover due to the rapidly growing number of users and limited fraud detection and prevention capabilities. It is also being exploited to circumvent strong authentication systems that use mobile text messages to validate high-risk transactions.

So it is no surprise that new European and global legislation is aggressively pushing for instant payments, which puts greater emphasis on financial institutions’ fraud detection and prevention in near-real time. Previous processes that allowed banks to either stop or recover transferred funds are now being eradicated, putting pressure on how to detect fraud that is occurring at the time of the transaction.

To successfully combat these constant threats, banks and financial institutions need a new paradigm — one that provides effective, nonintrusive and frictionless banking. This model must be easy to implement, manage and operate, require limited operational support and be highly adaptable to address new threats. This tiered approach must incorporate new countermeasures without any intervention by bank security staff and without any noticeable impact to banking customers.

Read the white paper to learn more: Mobile Malware Adapting PC Threat Techniques

Evaluating Mobile Device Trustworthiness

Building popular apps means being able to support a broad range of operating environments and devices. This also means that the app is exposed to potential vulnerabilities across supported devices. While Apple provides regular updates to its closed apps universe, the same can’t be said for Android’s open platform ecosystem.

Owners sometimes jailbreak their devices so they can access traditionally locked-down device capabilities, so no singular device or OS is safe. A device’s trustworthiness must always be questioned — and it is a crucial element to consider when addressing transactions performed from it.

Solutions include an embedded, dedicated security library for both Apple’s iOS and Google’s Android platforms in which a variety of parameters are scrutinized in order to provide a calculated security posture. It also generates a unique and persistent device ID. When embedding this library, the application can use device risk factors to restrict functionality on questionable devices, preventing high-risk transactions from being generated in the first place.

Safeguarding Devices

When building and deploying applications, there are common development and testing practices used. While these are excellent security procedures to follow, cybercriminals don’t need to prey upon security flaws in the application to exploit it. Off-the-shelf packers provide access to the mobile binary, exposing the internal workings of the application code and enabling attackers to access, modify, rebuild and deploy malicious code without the transaction service being aware. It also leaves the door wide open for malware and tampering.

Solutions include special guards or security units that are injected into the binary so that they cannot be identified or isolated. They defend against compromise by either obfuscating or scrambling the code. At runtime, they can check the environment in which the application is running to guarantee it’s not running on a rooted or jailbroken device or in the presence of debuggers.

Finally, ensure that the application is running as it’s designed. If it’s not, malware could be altering the behavior of your app.

Establishing User Identification

A commonly used user identification method relies on profiling as a means of identifying fraudulent transactions. Due to the statistical nature of some approaches, false negatives and false positives frequently occur. Cybercriminals take many steps to perform fraudulent transactions under the radar of this security layer, exhibiting as many characteristics of normal, customer-generated transactions as possible.

For example, cybercriminals use social engineering to fool end users into downloading SMS forwarders that will be later used to authenticate fraudulent transactions. In other attacks, malware is used to inject fraudulent transactions into fully authenticated, valid banking sessions while hiding the transaction and the resulting account balance information from the end user.

The device needs to be the first line of defense for online transactions since it is traditionally considered the weakest link. For example, organizations could use SIM card information as a means of identifying the user because it forms an anchor of mobile devices worldwide. The SIM card protects the mobile identity of subscribers, associates devices with phone numbers and stores payment credentials in NFC-enabled phones with mobile wallets.

Protecting Session Information

Today’s malware includes a wide variety of attack types. Data- and credential-stealing malware comes in the form of fake applications, SMS stealers and PC/mobile combination malware. Mobile malware can dynamically change the user experience by creating an overlay of a malicious screen on top of the legitimate application — one that the unknowing user will seamlessly interact with. This allows the extraction of personal identifiable information and personal data.

The previously mentioned dedicated security library for both iOS and Android platforms could help in this regard by inspecting certain session information. The examined information would include malware on the device, suspicious or fake apps, outdated operating systems and jailbroken/rooted information.

Preventing Cross-Channel Infections

A cross-channel infection is an infection on the mobile device caused by malware on the user’s PC. A message will appear on the user’s PC from a trusted service provider such as a bank or social media platform and it will prompt the user to carry out an action. Once users provide a phone number or scan a QR code, they receives an SMS with a link to install a so-called security app. Instead, this link downloads a malicious app that is actually an extension of the PC malware.

Cross-channel infections can be prevented with help from information on the device’s geolocation, which is based on GPS data or IP location. This can be used to detect access to the same account from two distinct locations or other anomalies that may occur during the online banking session. Additional information is analyzed to identify suspicious events across time, users and activities — for example, phishing, malware and other high-risk indicators are combined to provide a contextual picture of anomalous account activity.

By combining a traditional risk score approach with a deep knowledge of current methods of operations used by fraudsters, you can receive an evidence-based answer on whether a transaction is fraudulent.

VIDEO: Mitigate Multiple Attack Vectors with IBM Security Trusteer Mobile Solutions

More from Banking & Finance

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

DORA and your quantum-safe cryptography migration

5 min read - Quantum computing is a new paradigm with the potential to tackle problems that classical computers cannot solve today. Unfortunately, this also introduces threats to the digital economy and particularly the financial sector.The Digital Operational Resilience Act (DORA) is a regulatory framework that introduces uniform requirements across the European Union (EU) to achieve a "high level of operational resilience" in the financial services sector. Entities covered by DORA — such as credit institutions, payment institutions, insurance undertakings, information and communication technology…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today